GnuPG2, GPGME vulnerability

2007-03-1300:00:00

ubuntu.com

6 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.274 Low

EPSS

Percentile

96.7%

JSON

Releases

Ubuntu 6.10
Ubuntu 6.06

Details

USN-432-1 fixed a vulnerability in GnuPG. This update provides the
corresponding updates for GnuPG2 and the GPGME library.

Original advisory details:

Gerardo Richarte from Core Security Technologies discovered that when
gnupg is used without --status-fd, there is no way to distinguish
initial unsigned messages from a following signed message. An attacker
could inject an unsigned message, which could fool the user into
thinking the message was entirely signed by the original sender.

OSVersionArchitecturePackageVersionFilename
Ubuntu6.10noarchlibgpgme11< 1.1.2-2ubuntu0.1UNKNOWN
Ubuntu6.10noarchgnupg2< 1.9.21-0ubuntu5.3UNKNOWN
Ubuntu6.06noarchlibgpgme11< 1.1.0-1ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	6.10	noarch	libgpgme11	< 1.1.2-2ubuntu0.1	UNKNOWN
Ubuntu	6.10	noarch	gnupg2	< 1.9.21-0ubuntu5.3	UNKNOWN
Ubuntu	6.06	noarch	libgpgme11	< 1.1.0-1ubuntu0.1	UNKNOWN